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ABSTRACT 


This paper deals with logics of programs. The objective 
is to formalize a notion of program description, and to give both 
plausible (semantic) and effective (syntactic) criteria. for the 
notion of truth of a description. A novel feature of this 
treatment is the development of the mathematics underlying 
Floyd-Hoare axiom systems independently of such systems. Other 
directions that such research might tske ere also considered. 

This paper grew out of, and is intended to be usable as, class 
notes [27) for an introductory semantics course. The three 
sections of the paper are: 


1. A framework for the logic of programs. - 

Programs and their partial correctness theories are 
treated as binary relations on states and formulae respectively. 
Truth-values are assigned to partie! correctness assertions in a 
plausible (Tarskian) but not directly usable way. 


2. Particular Programs. : 

Effective criteria for truth are established for some — 
programs using the Tarskian criteria as a benchmark. This leads 
directly to. a sound, complete, effective axiom system for the 
theories of these programs. The difficulties involved in finding 
such effective criteria for other programs are explored. The 
reader's attention is drawn to Theorems 4, 16, 18 and 22-24, 
as worthy of mention even out of the context in which they now 
appear. 


3. Variations and extensions of the framework. 

Alternatives to binary relations for both programs and 
theories are speculated on, and their possible roles in semantics 
are considered. We discuss a hierarchy of varieties of programs 
and the importance of this hierarchy to the issues of 
definability and describability. Modal logic is considered as a 
first-order alternative to Floyd-Hoare logic. We give an 
appropriate axiom system which is complete for loop-free programs 
and also puts conventional predicate caiculus in a different 
light by lumping quantifiers with non-logical assignments rather 
than treating them as logical concepts. 


This research was supported by the Nationa! Science Foundation 
under contracts 0CR74-12997 and NCS76-18461. 
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SEMANTICAL CONSIDERATIONS ON FLOYD-HOARE LOGIC 


1. A_framework tor the logic of programs. 


1.1 Semantics: what a program is 


In this paper we restrict our attention to. programs that 
primarily manipulate and test their environment, in contrast say 
to the pure lambda calculus, whose semantics need not depend on 
the notion of a changing environment. Floyd-Hoare logic is aimed 
at the former kind of program, which does not readily tend itself 
to direct description using classical logic. Lambda calculus and 
pure LISP programs fare much better with classical logic. 
However, the manipulate-and-test paradigm dominates the 
programming milieu, and the popularity of the Floyd-Hoare method 
for dealing with this situation makes a foundational study of the 
method worthwhile. . 


The term semantics will connote for us the relation 
between word and object. Two such relations appear below, as 
concrete program and abstract program (cf Scott [31]), and as . 
formula and truth-value (cf Tarski (34]}. When necessary we will 
refer to these respectively as [J-semantics and F-semantics. 
These reflect what we feel should be the two main concerns of 
theoretical semantics, namely abstract programs and their logics. 
This section (1.1) deals with the former, although we do not — 
explicitly discuss concrete programs. (Section 3.1 raises the 
possibility that the concrete/abstract dichotomy is too narrow a 
point of view for []-semantics.) The role of section 1.1 is to 
provide a rigorous foundation for the remainder of the paper, 
which is concerned (except for section 3.1) with logics of 
programs. 


Binary Relations. We shall use binary relations for 
programs along lines proposed by Eilenberg and Elgot [13], de 
Bakker [9,10,11], and (with relations replaced by functions) 
Scott [9,31]. We find it convenient to use them also for partial 
correctness theories of programs. 


We define a binary relation R from a set A (the domain 
of R) to a set B_ (the range of R) to be a subset of AxB [10] 


{as opposed to a function from 2A to 28 (13), which is not as 
convenient for our purposes). We further define: 


aRb (a,b) «€ R 

aRbSc aRb a bSc 

RuS, RAS, R-S as for any sets, infinite union and intersection 
included 


ReS 2 {(a,c) [3b [aRbSc}} (composition) 
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R7 {(b,a) {aRb} = (converse) 


XRb Aa for XcA 

ac 
aRY gn wtb: for YcB 

€ 
XR {b | daeX (aRb] > for XcA 

(exception: R = F) 

RY {a} 3bc¥ (aRbi} for YB 
XE {P|XEP} (this is an exception to XR above) 


Symbols. Central to the notion of environment is. the 
symbo! and its value (or interpretation, or denotation). We 
shall confine our attention to function symbols, predicate - 
symbols, and logical connectives, interpreted respectively as 
functions, predicates, and either boolean functions or binary 
relations (see (2) below), all of fixed arity. We denote the 
collections of such symbols as J , ® , and G respectively, 
and use subscripts to identify the collections of a given arity; 
thus Jo is the collection of binary function symbols. © will 
always include a, + and 3x for all xeJp (i.e. first-order 
quantification, though very little of what we prove changes if we 
permit dx for all xe3), while @ will always include =. We 
let D denote the (single) domain for the functions and , 
predicates, 


We adopt the following notations. 


A38 the set of all functions from A to B ;__ 
f:A=B f «¢ AB; 
ak AxAx...xA (Cartesian product of k A's) 3 


Expressions. Expressions are trees whose vertices are 
labelled with symbols such that: 
(i) each symbol's arity equals the out-degree of the vertex it 
labels; 
(ii) going from the root to a leaf, the sequence of symbol-types 
encountered forms a contiguous substring of G*P3*. 


We use the following concepts and notations. 


Formula An expression whose root's label is in CUP; 


Term An expression whose root's label is in J 

£ The set of expressions; 

t, The set of formulae of 2% ; 

g, The set of terms of 2; 

Ground Describes an expression containing no modalities. 


Useful abbreviations and their expansions are: 


PvQ a(-P~~Q) {mutatis mutandis for >, =, Yx) 
true K=X (mutatis mutandis for false) 
E (E,icecsey) | 


E=F EpsFy Ase aE sr, 
SFE (HE, ,- ++ ,SRE,) 

ds 4s, 4s... 4s, 
P(E.F) 


(PLE, Fy) ,--+sPCE, FD. 


Interpretations. We now assign meaning to expressions, 
along the lines spelled out by Terski [34]. An interpretation 3 
(which for us will play the role of en environment) specifies for 
each symbol A the value Ag of A in 9. Given 93 , we can 
then infer the value in 9 of an expression E = A(E) . ed value 


will be written SEE (slightly generalizing the usual usage), 
is defined by 


SEALE) @ Ag(SE) . -W 


Note that the argument £ on the left becomes SFE on 
the right regardless of what A is. Under this condition we say 


that A_ is reterentially transparent (28). 


The only exception to {1) is when A is a modality, 
which is a unary logical connective whose interpretation A 
{independent of 3) is a binary relation on interpretations. 
(Alternatively we could say that its interpretation Ag is a set 
of interpretations depending on 9 , namely those accessible from 
3 via A, in which case SAY would be written § « Ag -) The 


definition becomes 
SFA(P) = v gkP (2) 
SAG 


This asserts the existence of an interpretation § , accessible 
from 39 via A, in which P is true. It is Kripke's (20) 
semantical interpretation of what is written © by , 
modal logicians. Such an A_ is not referentially transparent; 
we then say it is referentially opaque [28]. An immediate 
application is to the definition of modalities of the form 3x 

where x € Jp and axis interpreted as the equivalence relation 
relating pairs of interpretations differing only in their 

assignment to x. The section on programs as. binary relations 
will suggest a further application. 


Given a set X of interpretations we shall write XEP . 
for ac » XE for <{P|XEP} (the theory of X) and EP for 
€ . 


{93|9EP} . 


Programs as binary relations on states. We have thus far 
defined only conventional concepts from logic, using more or less 


conventional definitions. We now define a transition to be an 
ordered pair of states, where a state is defined to be an 
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interpretation. Intuitively a transition represents an initial 

and a final state. Following de Bakker (9,10,11], we define a 
program to be a set of transitions, i.e. a binary relation on 
states. 


Note that this definition makes the interpretation of a 
modality a program. Given a program a we let <a>. denote the 
modality whose interpretation is a, and abbreviate -7<a>7 to 
fa) , in imitation of the symbols of classical modal logic. A 
little thought reveals that {[a}]P means essentially. "after 
executing a, P holds," or more precisely, “every transition from 
this state leads to a state satisfying P," while <a>P means 
“there exists a transition from this state to a state satisfying 
P." In this light, another way of viewing our interpretation of 
3x is as a program that non-deterministically assigns an 
arbitrary element of DO to x. 


. Restrictions on interpretations. If every symbol were 
always to have the same value there could be but one state and 


hence but two programs, the identity program I and the empty 
program ¥ . Useful assignment statements would not be possible. 
Conversely, if no restrictions (save those of arity and type) are 
placed on the possible values of symbols (as in pure predicate 
calculus), a wealth of programs is possible. We would then be 
studying uninterpreted program schemes. With the exception of 
Theorems 16-18 {and in some sense Theorems 4 and 5), our 
results are independent of where one lies in this spectrum. When 
we use familiar symbols (e.g. a, +, dx, 3, <, O, 1, +, -y weedy 
these will always be assumed to have their standard 

interpretation (which in practice is a function of whether D is 

the natural numbers, integers, reals or whatever). The universe 
U_ of possible states is thus a function solely of D, 3, ® and 
whatever restrictions are in force on interpretations of symbols. 
When UFP we shall say that P is valid. 


We distinguish between symbols with a single fixed 
standard interpretation, symbols whose interpretation can be 
changed by a program, and symbols in neither category, by calling 
them respectively standard symbols, assignables and labels. None 
of these distinctions are relevant to the statement or proof of 
most of the theorems of Section 2, but they are important in 
interpreting those theorems. For example, knowing that a symbol 
is a label means that we know it cannot change during program 
execution, and hence it can safely be used to name, say, input 
values in both the antecedent and the consequent of a partial 
correctness assertion. 


1.2 Logic: how to describe a program 


So far we have said what a program is, a [3-semantical 
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concern. We now consider ways to talk about programs, a concern 
of logic. 


Partial correctness assertions. A partial correctness 
assertion (pca) is an ordered pair of formulae of t; » called 


respectively the antecedent and the consequent. Pca's were first 
studied carefully by Floyd [14] , who called them verification. 
conditions. They were later further popularized by Hoare [16]. 
Though they do not constitute the only possible description - 
language, as we shall see in section 3, and also are lop-sided in 
their ability to discuss termination (they can only discuss 
non-termination), they are nevertheless of considerable practical 
and theoretical interest. We shall refer to program-oriented 


logics whose language is 2? as Floyd-Hoare logics. 


The meaning of a pca is defined as an extension to the 
Tarskian definitions (1) and (2) {(k-semantics). We extend F 


so that it is defined not only on Ux£ but also on uxt? , as 
follows: 


~ (9,g)F(P,Q) = (SP > $FQ) (3) 


That is, a transition satisfies a pca, or the pca is true of the 
transition, when the truth of the antecedent before the 

transition implies the truth of the consequent after. We refer 

to these two usages of & as unary and binary respectively; more 
generally, we distinguish conventional logics from Floyd-Hoare 

logics by calling them respectively unary and binary logics. 

Unary logics deal with static situations, binary logics with 

dynamic situations. 


For a set a of transitions li.e. a program), ak (P,Q) 
means that (P,Q) is true of every transition in the program a; 
we then say (P,Q) is true of a, and that a satisfies (P,Q) . 
Similarly, aE denotes the set of pca's true of a, which we 
shall call the partial correctness theory of a, abbreviated to 
€a} (following Hoare [16], but using boldface to distinguish € 3 
from set brackets € 3). Since €a} is a set of pairs of formulae 
we can treat it as a binary relation on f and write P€a3Q_— for 


aF(P,Q) . 


One can think of (P,Q) as providing an upper bound on 
programs, in the sense that the programs satisfying (P,Q) are 
just the subsets of F(P,Q) . In this role, (P,Q) can assert 
non-termination, but because *F(P,Q) for any (P,Q), it cannot 
assert termination. 


The Duality Principle for Programs. In static logic 
there is a duality between true and false. In dynamic logic a 


similar duality obtains between forward and backward execution of 
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programs. The (easily checked) Duality Principle for a program 
a is 


{a} = .fa}~ (D) 


where -(P,Q) is defined as (-P,7Q) . Thus P€a30_ is 
equivalent to -Q€a}-P . This principle can occasionally 

simplify discussion of forward execution by reducing it to 
backward execution or vice versa. The axiom of modus tollens in 
static logic (a>b = ab>7a) can be thought of as the duality 
principle applied to the program I . 


Weakest Antecedents and Strongest Consequents. We 
observed earlier that [a}P could be interpreted as “after. 


executing a, P holds." It follows that ({fa}]P)€a3P holds. 
Moreover, no weaker antecedent than [aJP will permit the 
consequent P; indeed, if 3#[aJP then 9k<a>-~P , so there exists 
g satisfying Jag such that gFP . We call any formula logically 
equivalent to [a]P a weakest antecedent (Dijkstra [12]) of P 

via a. This is summarized by 


Pfa3Q =kP > tala) (W) 


By the duality principle (0), all of the above holds 
equally well for -P€a }3(>[a]P) , and hence for P£a}{<a>P) . 
We call any formula logically equivalent to <a >P a strongest 
consequent (Floyd [15]) of P via a. The dual of (W) is 


P{a}Q =Ga->P > Q) (S) 


Though we have given syntactic characterizations of 
weakest antecedent and strongest consequent, these translate 
immediately into semantic characterizations by virtue of our 
having already specified the semantics of modalities. This 
approach is slightly more convenient to work with than defining 
the concepts directly in terms of interpretations, particularly 
since we need the concept of modality for other purposes. 


Tidy Programs. Including the modality <a> in @_ is 
not really cricket, since the whole idea of Floyd-Hoare logic 
becomes superfluous (see section 3.2 for details). We shall 
limit @ to a, + and 43x for all xeFy . In this case we may 


ask whether i, contains any formula logically equivalent to [a]P. 


If for a given program a _ the answer to this question is yes for 
all Pc£,;, we say that a is backward tidy. (Schwarz (32] uses the 
terminology "backward exactly connected".) The dual epithet is 
forward tidy (Pratt [27] and independently Schwarz [32]). Note 
that the concept of tidiness finds no application in de Bakker's 

and Meertens' [11] []-semantical treatment of partial 

correctness, where for an "antecedent" VcU they define the 

' strongest "consequent" via ato be Va , which will always be 
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defined. While elegant, this is not logic, that is, the concept 
of language does not appear; they are talking about a different 
though closely related problem. 


A program that is either forward or backward tidy we 
shall call tidy; when it is both, we shall call it very tidy. 


When a is forward tidy it is convenient to have a 
function a=> : fk, , such that a=> takes P to a strongest 


consequent of P via a. We call a=> a forward tidiness 
function of a. If there exists a recursive a=> we shall say 
that a is recursively forward tidy. For convenience we will 
sometimes treat a=> as a binary relation, writing it as (a=>) . 
A. backward tidiness function of b (if any) is written <=b ; 
(<=b) will denote the converse of the relation corresponding to 
the function <=b . The following facts formalize this. 


3Q(P(a=>)Q a Qe<a™>P) if a is forward tidy (Fa) 
VO(P(a=>)Q > Qe<a~>P) (FY) 
3P(P(<=b)Q an Ps(bJQ) if b is backward tidy (Ba) 
YP (P (<=b)Q > P=[b]Q) (BY) 


A program may have many tidiness functions, any one of 
which will serve our purposes. The following is useful. 


Tidiness Duality Lemma (TDL): Program a is forward tidy if 


and only if a is backward tidy. 


The following lemma supplies one valuable role for 
tidiness; see Theorem 7 below for another equally valuable role. 


Tidiness Characterization Lemma (TCL): 
(a) Let a be forward tidy. Then {a} = (a=>)°€I3 . 
(b) Let b be backward tidy. Then €b3 = €1}3-(<=b) . 


With this lemma, to know a tidiness function of a_ is to 
know the theory of a, or at least to reduce the problem to 
knowing the theory of €13 in the sense of Theorem 12 below. 


We have now completely specified the notion of truth for 
pca's with respect to a given program. Note that this definition 
is plausible (what simpler rigorous yet direct definition of 
truth could there be?), but not accessible (evaluating the truth 
of P£€a3Q directly from the definitions may bog down in the 
infinities of either the set a of transitions (when checking 
tE(P,Q) for each t € a) or the universe U of states (when 
evaluating 3x{[P]))}. Hence we would like to trade off 
plausibility for effectiveness, leading to an axiom system for 
{a} that is sound, complete and effective. This trade-off has 
its analog in unary logic. ‘Im both logics this gives rise to the 
need to distinguish truth and proof. 
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In general {a3 is not accessible in the above sense; 
however, in some simpie yet useful cases, {a3 is quite 
accessible. The following section focuses on such special cases. 


2. Particular programs 
2.1 Basic Programs. 


The Identity and Empty Programs. The empty relation 
# , containing no transitions, and the identity relation ly ‘ 
which we shall henceforth abbreviate to I , are two simple 
programs of particular interest. These are characterized by the 
properties aU? = fUa = a, aef = Poa = © and acl = lea wa. 
Thus they resemble - and in fact are - the additive and 
multiplicative identities respectively of a semi-ring (ring with 
no additive inverses) with addition operator U and 
multiplication operator «+ . 


(All proofs in this section are relegated to an appendix.) 
Theorem 1. (3 = Z * 


Theorem 2. €13 = ((P,Q) {UF (P>Q)} . 


For convenience, rather than referring to UE when we want 
to talk about the set of valid formulse of unary logic we shail 
use €1} . Though this implies a restriction of £, to 


implications, this is a trivial restriction in our case. (Recall 
Floyd's remark [15] : “One: might say facetiously that the subject 
matter of forma! logic is the study of the verifiable 

interpretations of the program consisting of the null 

statement. ") 


Tests. A test is a formula P of 2 , and denotes 
the program 


CPD = I,yM(kP) (T) 
= (9,9) |9ceU a SP}. 


Thus (PI will execute (without side effects) just when P is 
true. (The £ 3 is borrowed from Scott [31].) Though we have © 
reserved the word "test" for P itself, we shall also refer to 
[PI as a test when the meaning is clear. Observing that I = 
{true} and # = [false allows us to subsume many theorems or 
axioms about I and ® under those about tests. 


Theorem 3. Let R be a test. 
(a) <&RE->P = RaP . (Forward tidiness) 
(b) ([ERIIP s RoP . (Backward tidiness) 


-g 
The Tidiness Characterization Lemma allows us to deduce - 
the remainder of CORE. ; 


A ground test has no modalities, and corresponds to the 
sorts of tests permitted in, say, ALGOL. Though the above 
theorem did not rely on tests being ground, when we come to 
exhibit particular programs to make a point or prove a theorem, 
we will restrict ourselves to ground tests. 


Assignments. An assignment is a peir of terms (F(S),T) 
of £ , corresponding to the left and right sides of a 
conventional assignment statement. No loss of generality ensues 
from parsing the left-hand side as F($); all expressions can be 
so written. When 5 is a O-tuple we have simple variable 
assignment; otherwise we have array assignment. Since the array 
arguments are not constrained to be integers, this encompasses. 
the notion of record as in, say, Pascal (35). For Floyd-Hoare 
logic no distinction need be drawn between functions and arrays. 
The corresponding program is a function of type Us , which of 
course is just the special case of a binary relation on U where 
each element of U appears in the relation as the first component 
of a pair just once. It may be defined with the aid of A-notstion 
thus. 


EF(S)eTH = AS.AALif ASF then Ay (A) 
else As.if ¢ 4 SS then Ag(s) 


else ST. 
(Note: s and $ agree in arity.) 


It wilt help in following this definition to keep in mind 
the following types of functions: 
EF (S)+T3: UsU 
3: 3+(0*30) {at least in this case, with only terms involved) 
SE: £90 


It should be remarked that this is not meant as an 
interpretive definition of assignment in the sense that to 
execute an assignment one executes the body of the definition. 
Rather we are defining a mathematical object, which the body 
uniquely specifies given U. No detail of this object may be 
changed without doing violence to the intent of our definition, 
though of course as in any definition the wording of the 
definition may be varied. 


Before proceeding to a characterization of €&F ($)<+TI3 
‘we introduce the notion of substitution, suitably generalized to 
handle arrays. We define {T/F(Z}]P (abbreviated as P'), the 
result of substituting the expression T for the subtrees in P 
with root F , as follows. 
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F(E)' = (E'/ZIT (Si) 
A(E)' = ACE") non-modal AF (S2) 
(3xP)" = 3y(Uly/AdP)') new y _ (83) 


Si performs the substitution for F ; its right side 
simplifies to T when F is zeroary. Clearly E' is 
(Ey sees EL") . Substitution of this for Z in T means 


substitution of the whole tuple wherever Z occurs in T. Z is 
not a tuple of £ but rather a place-holder (for the arguments 
of F ). that we shall employ below in instances of T . 


S2 caters for referentially transparent symbols. The 
only modality we provide for is 3x as in S3, which is 
sufficient for our purposes. (It is easy to check that J may 
be replaced by Y_ in S3 with no other modification since + is 
referentially transparent and covered by S2.) 


(When P_ contains assignment modalities (not the 
case in this paper), a difficulty arises in extending S3, namely 
that of generalizing renaming of bound variables. The reader 
interested in pursuing this further might consider the supposedly 
valid formula X=0 > [X+1/Y] (X-X+2] (Y=1aX=2) , which is in 
fact not valid if the substitution is performed naively. This 
may be transformed to X=0 > [X+1/Y} (ZeX+2] (Y=1aZ=2) to avoid 
this problem, along the lines of S3, but is this desirable? . The 
reason this is not a problem for 3X thought of as <X+RANDOM> 
is that RANDOM is independent of X , so renaming it to 
<Z+RANDOM> , or for that matter renaming <Xel> to <Zel> , is 
not' as distressing as renaming <XeX+2> to <ZeX+2> . Clearly 
we cannot rename it to <Z+Z+2> without renaming other 
occurrences of X possibly outside the scope of the 
substitution, as in the example where we have X=0 . It would 
appear that renaming to <Z+X+2> is our only option. But then 
what happens in the case of array assignment? We would 
appreciate seeing a solution to this problem. ) 


In addition to substitution we need a temporary addition 

. to 33 » namely IF-THEN-ELSE, a peculiar symbol taking a formula 
for its first argument and terms for its second and third 

arguments. It is removed (in order to yield an expression of £ ) 
by the following transformations, which move it up the tree using 
the first two transformations until all its arguments are 

formulae, permitting application of the third transformation. 


G(IF R THEN E. ELSE F.) 

> IF R THEN G(E) ELSE G(F) for G « Jur ; 
E -+ IF R THEN E ELSE E ; (to facilitate preceding rule) 
IF R THEN S ELSE T 3 (RaS)v(aRaT)~ for S,T «€ q, - 


IF lemma. Evaluating SEW when W is a formula containing 
IF-terms yields the same truth value whether IF is first 
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removed by the above transformations or left in place and 
evaluated using - 


Se (IF P THEN S ELSE 1)’ = if SeP then SS else SET. 
The following reports joint work with R. Hale [27]. 


Theorem 4. Let F(S)+T be an assignment. . 
(a) <EF(S)-TIOP 2 StsP' an ssS' an F(s)=T') 

where E' = I[(IF Z=s THEN t ELSE F(Z))/F(ZIE 
{b) {CF (S)+THIP = P* 

where E" = I[(IF Z=S THEN T ELSE F(Z)I/F(ZIIE . 


When F is O-ary, IF Zes THEN t ELSE F(Z) can be 
simplified to t , giving Floyd's [15] construction of the most 
general consequent of an. assignment statement as a special case, 
and IF Z=S THEN T ELSE F(Z) can be simplified to T , giving 
Hoare's [16] backward substitution rule for assignment as a 
special case, namely that 

[X+T]P = (T/X]P . 

{We shall often abbreviate [£3] to (].)  Fortuitously (X-T] 
and [T/X} are much alike, and we rely on © versus / to 
disambiguate them. Actually, since they are equivalent, the 
only reason one would want to distinguish them is when one wants 
to stress that [T/X]P is an abbreviation for something in £ 
while [X-T]P is an unabbreviated formula of modal logic. Thus 
(X+T] is semantic inasmuch as it has an interpretation. under F, 
while . [T/X] is syntactic in that it specifies a transformation 

on an expression. 


Lambda-calculus adherents will note the obvious 
similarity between [XeT]P and (AX.P)T ; our above equivalence 
corresponds to the syntactic beta-reduction rule of the 
lambda-calculus. Our generalization to array assignment gives the 
appropriate rule for a lambda-calculus with arrays where single 
array elements can be bound, as in Aaly).a(x)+l , where due 
regard needs to be given to whether x=y . 


Second-Order Assignment. We may call the above programs 
first-order assignments because individuals of D are being "moved 
around." A second-order assignment might be @ pair of function 
symbols of the same arity, and would permit wholesale assignment 
of a function to a function symbol of the same arity. Thus if F 
and G were both binary, F+G would change the whole interpretation 
of F, not just its value at one point. The program EF+G3 would 
then be 


AS.AA. if AZF then Ag else Gg ‘ 


This notion of second-order assignment is not as general 
as it might be. For example, one might want to perform F+eGeH 
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where F,G,H are all unary. However, this would introduce higher 
type functionals (in this case composition) into the language, 
which would make matters more complicated than we are willing to 
allow here. {This is not to imply that [FeG-H] is not tidy - 
it is backward tidy, by a variation on the argument in the 

proof of the following theorem, that OF+G3 is backward tidy.) 


Thinking of the first order quantifier Jx as 
<x+RANDOM> , we can think of the second-order quantifier Jf as 
the second-order assignment <feRANDOMFUNCTION> . This 
illustrates just how close our use of “second-order” is to the 
conventional use. 


Theorem S. Let FeG be a second-order assignment. Then. 
{([FeGHP = ([G/FIP 

({G/F] is a convenient abbreviation for (G(Z)/F(Z)).) 

Hence second-order assignment is backward tidy. : 


Qpen problem. Is F+eG always forward tidy? 


2.2 Loop-free Programs. 


Union. We have already defined the union of two binary 
relations as being conventional set union, taking advantage of 
the representation of relations here as sets of transitions... 


Theorem 6. {fab} = Ca}n{b3 . 


Note the exact analog of this binary logic theorem in unary 
logic; in both logics, "the theory of the union lof two subsets 
of either £, or £2 is the intersection of the theories." In 
contrast, there is no analog of the following theorem in unary 
logic, in line with the idea that composition is a dynamic rather 
than a static operation. 


Composition. Again, we have already defined the . 
composition of two binary relations. 


Theorem 7A. {aceb} > €ad-fb} . 


The > cannot be strengthened to = without knowing 
more about a and b. For example, let VcU have no P «€ 
Z, satisfying FP = V. Let a= ly = €(9,9) |Se¥} and let b = 


Ty_y » so that ab = I, and atb = %. Then acb =f , so 


Cacb} is vacuously £ , the set of all pca's, including 
(true,false) . But by the construction there can be no P 
simultaneously satisfying truef{a3P and P€b3false , so 

(true, false) cannot be in fa}-fb} , whence fa-b} > Ca}-fb3 . 
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Neither a nor b = in this example is tidy, and in fact 
we can strengthen theorem 7A as follows. : 


Theorem 7. (aeb} = {2}-€b} when a is forward tidy or b is 
backward tidy. 


Theorem 8. - - 
(a) If. a,b are forward tidy, so are aUb and ach ; 
(b) If a,b are backward tidy, so are ab and acb. 


Loop-free programs. The significance of union and 
composition is that, together with tests and assignments, they 
allow us to synthesize the abstract programs that correspond to 
loop-free flowcharts. The correspondence between the two may be 
formalized as follows. Oefine a flowchart to be a directed graph 
with edges fabelled with tests and assignments (cf [17]), and _ 
having a start vertex and a set of final vertices. Take the 
corresponding binary relation to be the union, over all paths p 
from the start vertex to a final vertex, ‘of the composition of 
the sequence of instructions along p . In the case of loop-free 
flowcharts, i.e. directed acyclic graphs, there can only be 
finitely many such paths, so such an abstract program can be 
synthesized from tests, assignments, finite union and 
composition. The foregoing theorems then tell us: 


Corollary 9. All loop-free assignment-and-test programs are very 
tidy (possibly excepting forward tidiness for second order 
assignment). 


So far we have considered only the programming constructs 
of tests (subsuming I and 9), assignments, finite union and 
composition. We could proceed to consider further constructs 
such as if-then-else along the same lines. However, our 
preference in this case is to consider “if P then a else b" to be 
an abbreviation for “{PJea U [-PIeb" , much as we considered 
YxP to be an abbreviation for -3x-P . Similarly, we would 
regard the goto construct as a notation for describing flowchart 
. programs textually, provided this gave rise to acyclic 
flowcharts, allowing us to further translate the flowchart into a 
program involving only tests, assignments, finite union and 
composition. (We discuss the case when the goto gives rise to a 
loop later, under the heading of regular programs. } 


If one wanted to be more formal one might distinguish 
translational semantics from []-semantics, classifying our 
definition of if-then-else as being of the former kind. The 
economies of description possible with such translational 
definitions do not need stressing. 


Recursiveness. Tidiness by itself does not guarantee 
usability of the tidiness functions. We say that a is forward 
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(backward) recursively tidy when a=> (<=a) is recursive. In 
the following we use "many-one reducibility" [30]: we say 
Xs_¥ when there exists a recursive function f such that x € x 
iff ffx) e@ Y. 


Theorem 10. fab} < Ca}xfb} (Cartesian product). 


Theorem 11. 
(a) If a is forward recursively tidy, faeb} Sin {b3 


{b) If b is backward recursively tidy, Caeb} S, fas. 
Theorem 12. If a is recursively tidy, €a} Sm qi}. 
Theorem 13. Instructions are recursively very tidy. 


Theorem 14. If a,b are forward (backward) recursively tidy, 
so are ab and aeb . 


By themselves these theorems are somewhat dull. Taken 
together, however, they yield the following interesting result, 
used to advantage in King's thesis [18], using backward tidiness. 


Corollary 1S. If a is a loop-free assignment-and-test program, 
fa}<_ C1} . (Note that C13" = C1x€10x...x€13 s C13, 


for any n, since the n questions about membership in €1} can be 
rephrased as a single conjunction. } 


This asserts that to decide whether (P,Q) is true of a, 
it suffices to ask whether a given first-order predicate calculus 
formula holds. 


It follows that the theory of programs without loops is 
no less tractable than the “theory of the underlying logic. " 


Axiom Systems. The above results are quite strong, 
promising recursive reductions to €13 . If we do not mind 
weakening this to recursive enumerability, we can write out a 
simple non-deterministic enumerator {or axiom system) for the 
pca's true of a given loop-free program. 


Al. €13 . (i.e. we take all of €13 as axioms.) 

A2. P€a3Q, Pfb30Q + P€aub}IQ . 

{This is equipollent with Hoare's P€a}0, P'{b3Q' F 

PaP' €aUb3QvQ'.) 

A3. P€a30, QEbIR & Pa-b3R . 

A&. Q€P3IPAQ (or PoQtP30). 

AS. PEF(S)+T3ays{P' A g2S' vA Flg)=T') (or P"€F(SeT)3P) 
where E' and E"° are defined as in Theorem 4. 

AG. ((G/F]Q)€F-G30 (second order assignment). 


An issue we do not resolve here is whether the object 
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inside € 3 is a program or a concrete representation of it. If 
the latter, then we also need a rule: 


Az. P€a}Q + P€a'3O provided a and a' represent the same 
program. 


This axiom system is a good approximation to the one 
proposed by Hoare [16]. Theorems 1 to 8 provide immediate 
confirmation of its soundness and completeness. Note the absence 
of Hoare's “Rules of Consequence” P20, Qfa3R FF PE€aIR = and 
its backward dual P€{a3Q, GQoR + P€a3R. We achieve its effect by 
using Ica = ael = a. Then Hoare's Rules of Consequence can be 
derived from P€1}3Q, O€a3R & P€l-aIR + PEaIR , and dually. 


We draw the reader's attention to our efforts to separate 
"competence" from "performance" (cf [6]) in the above. Without 
mentioning axiom systems, we established some properties of 
theories of programs (competence) from which we could readily 
infer the "correctness" of a non-deterministic system 
(performance, in this case as realized by the given axiom 
system). We feel that such a separation has some merit, and 
would like to see it applied more frequently in all domains where 
the dichotomy makes sense, including everyday programming. 


2.3 Regular Programs. 


We now consider a larger class of programs by including 
transitive closure as an operation. The reflexive transitive 
closure a* of a is the least x (with respect to c) 
satisfying aUlUxUxex = My which can be shown to be. 
Uta" n20} » where a’ = aeae...ea i times. We call 
the closure of the set of assignments and tests under U, ° and * 
the class of regular assignment-and-test programs. The 
connection with flowcharts is as for the loop-free case, except 
that the infinitely many paths that arise when loops are 
permitted are disposed of by using Kleene's transformation of 
such graphs into regular expressions. (Because we have union as 
one of our constructs, permitting non-deterministic programs, the 
obstacle raised by Ashcroft and Manna [3] for directly 
translating deterministic flowcharts into deterministic 
"structured" programs involving just assignment, composition, 
if-then-else and while-do does not arise here.) 


We may summarize the results of this section as follows. 
Regular programs do not in general have as tractable theories as 
loop-free programs. Even when F_ is completely uninterpreted 
and £1} is r.e., the innocent looking program {X+F(X)3* does 
not have an r.e. theory. However, as a sort of consolation 
prize, invariance theories (sets of pca's of the form (P,P)) turn 
- out to be well behaved with respect to * . 
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It is easy to find a regular program without an r.e. 
theory. Let 0 « 3 and +1,-1 « 4; (successor and predecessor), 
all with their standard interpretations on the natural numbers. 

Let a be a program implementing Minsky's universal two-counter 
machine [26]. Then if €a} were r.e., the halting problem could 
be solved by simultaneously running a and looking in €a3 for 
(P, false) where P says that the counters initially describe 

. {x} . .This capitalizes on the fact that though pca's cannot in 


general assert termination, they can assert non-termination. 


When ail function symbols are uninterpreted, €a} as 
described above is still not r.e., though to prove this takes a 
little more care. The idea is to say enough in the antecedent P 
referred to above to constrain the domain to have a substructure 
isomorphic to the natural numbers with 0 and successor. 


The fact that a is a universal program plays an 
important role in these proofs. Thus the following theorem is of 
considerable interest. 


Theorem 16. Let I3ql 24, 13,1 23, 133 21, with 
Ve Jo » Fe 4, . Let the symbols of J and ® {excepting =) 


take on all possible interpretations in the universe U . Then 
CCV+-F(V)B*3 is not r.e., despite €13 and C£V-F(V)J3 both 


being r.e. 


Corollary 17. When €1} is r.e., EVeF(V)3* is not recursively 
tidy. 


(After Theorem 24 we will be able to strengthen this by dropping 
“recursively. ") 


The proof of Theorem 16 appears to take advantage of the 
fact that F is uninterpreted, by allowing us to say “if F were 
interpreted as a single-stepper for a universal machine, 

then... ." The following lends credence to that view. 


Theorem 18. If < ¢€ @ then CEX+X+1}*3 is recursively very tidy. 

Invariance Theories. A sense in which * is tractable 
can be found in the invariance theory of a , written (a) , 
which is tainly, » the pca's (P,P) that express invariance. 
Theorem 19. (@) = (I) = le, ° 


Theorem 20. (aUb) (ajn(b) . 


Theorem 21. (acb) > (ad>- tb) = (adn) . 


This inequality > cannot be strengthened to = even if 
we make a and b tidy or make aeb , as witnessed by 
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= b = EX+F(X)] where F is uninterpreted. For let Q = 
P(X) aVy ([P (y) s-P (Ffy))] . Then Qfaca}Q but not Oa)0. 
Compare this with the way tidiness came to the rescue in Theorem 
7. An amusing consequence of Theorem 21 is: 


Corollary 22. For a given program a, the structure 


(Ca |n20}, ¢) is a homomorph of the natural number division 
lattice (N, |) , with (a) as the least element and (1) as 
the greatest. Further, when a = EX+F 003 with F anterpreled, 
the homomorphism becomes an n isomorphism. 


Considering that invariance theories fare less well with 
e than do full theories (as per Theorem 7), we should not be too 
surprised to find in view of Theorem 16 that invariance theories 
run into difficulties with * as well, This however is not the 
case. 


Theorem 23. (a*) = (a) 
We can now add to our axiom system: 
A7: P£€aIP + Pa¥}P . 


We note in passing that an apparent limitation of the 
method of proving flowchart programs correct by labelling 
between-instruction points in the flowchart with assertions is 
that the only assertions one can make about loops are invariance 
assertions (in contrast, say, to being able to write P€a*3Q_ in 
Hoare's notation). (We are again thinking of flowcharts as state 
transition diagrams, i.e. as directed graphs with edges labelled 
with instructions.) Theorem 23 strikes an optimistic note of 
sorts by seeming to claim completeness given this limitation on 
what one can claim about loops. This completeness is 
unfortunately a mirage, since the limitation is a mirage; one can 
in fact make other than invariance assertions about loops by the 
device of having ¢-transitions (edges labelled with the identity 
program I) leading to and from the loop. This however does not 
change the fact that Floyd's induction rule for flowchart 
programs [15] cannot be stronger than our A7. 


Cook [7] has recently found a situation where Corollary 
15 can be extended to regular programs. The following theorem 
distills a key idea in Cook's proof. 


Theorem 24. (Star Interpolation Theorem). Let a* be tidy, 
with P€a¥*¥}3R . Then there exists Q = satisfying PoQ2R and 
Q€a3Q . (An equivalent statement of the theorem is that if a* 
is tidy, €a¥} = E13} (ade E1} .) 


(We like the name "interpolation theorem" for this 
theorem because of its vague resemblance to the celebrated Craig 
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Interpolation Lemma [8], which states more or less that if PoR 
is valid then there exists @ such that PoQoR is valid and Q 
contains only predicate symbols common to both P and R .) 


The significance of this theorem is that to prove . P&a*®3R 
it suffices to prove OQ€a}0Q for the Q whose existence is 
‘guaranteed by the interpolation theorem, then infer O€a*30 
(e.g. by our A7), and then use PoQoR and Hoare's Rules of 
Consequence (or our Az). Cook has shown that when €1} is 
sufficiently "expressive", as is the case when 0,1,+,x « J and 
have their standard interpretations, then all regular programs 
are tidy, allowing the Interpolation Theorem to be applied. 

(Cook actually showed this for what one might call "context-free" 
programs, namely the class of programs with recursion, which 
translates in our case into the closure of the regular programs 
under the operation of taking fixed points of those first order 
functions on programs definable by first-order lambda 

abstraction. ) 


In the following we need the notion of enumeration 
reducibility (30), written As,8 » which roughly speaking means 
that given an enumeration of 8B , A can be effectively 
enumerated. Thus if As,B and B is r.e. then A is r.e. . 


Corollary 25. When all regular programs are tidy, fa}, C13. 


Corollary 26. Under the conditions of Theorem 16, if {1} is r.e. 
then [V+F (V) 3* is not tidy. 


We remark in passing that programs such as operating 
systems that are intended to run forever can be handled quite 
elegantly using * . At first this seems impossible since a 
program that never terminates is semantically equivalent to the 
empty program, for which all pea's hold. Indeed, when we 
translate the program 

while true do a 
into 

(Ctruel-a) *-Lfalse] 
we immediately observe {false} = * and x-f = # . However, if 
we simply remove the offending "°Efalsel"® , we are left with a 
program that simplifies to a* . Then P€a*3Q_ tells us that if 
at some time during the running of the program (e.g. at start-up 
time) P held, then after every execution of a , no matter how 
long this continues, Q will hold. Thus although we were unable 
to use the theory of the original program, it being # , the 
theory of a closely related program furnished us with precisely 
the information we required. This is a good example of how 
Floyd-Hoare logic can be more useful than might at first appear. 
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The theory of sections 1 and 2 is based on quite 
simplistic notions of program (binary relation on states) and 
theory (binary relation on formulae). Oealing with other program 
constructs than union, composition and reflexive transitive 
closure may not always be possible in this framework. We explore 
this in section 3.1 as the definability problem. For example, 
the notions of concurrent process, block structure, and 
call-by-name, seem not to be definable for binary-relation 
_ programs, We broaden the usual notion of “mathematical 
semantics" as "1/0 semantics" to embrace a variety of notions of 
“abstract program." In section 3.2 we look at one approach to 
the problem of extending the descriptive adequacy of Floyd-Hoare 
logics, which is handicapped by its ability to be only an upper 
bound (with respect to inclusion) on programs. 


3.1 A Program Hierarchy 


In this section we cease to identify programs with binary 
relations on states, for we will be considering a hierarchy of 7 
kinds of programs. . In order of decreasing information, this 
hierarchy is 


{i) Grammars (Permits finite programs) 
(ii) Languages (Permits sophisticated control) 
(iii) *-ary relations (Permits paratielism) 
{iv) Multiweighted binary relations 
(Preserves complexity information) 
(v) Weighted binary relations (Ditto) 
(vi) Binary relations (Preserves 1/0 information) 
(vii) States (Preserves termination information) 


This hierarchy is not intended as some hard-and-fast 
structure, but rather as some interesting points in the partial 
ordering (by information content) of varieties of programs. The 
following is also not meant to be so much prescriptive as 
descriptive, and we will often use "might be" in place of "is." 


Let us begin with grammars. To motivate this, we can 
start with the following program for computing: factorial (X). 


Az:=1; while X>0 do begin A:=XxA; X:=X-1 end. 
This program serves to control a processor that emits a string of 
instructions. As such it serves the same function as a grammar. 
While this program may not look much like a grammar, if we 
rewrite it as a regular expression with alphabet Z (the set of 
tests and assignments of section 2), we might have 


Aels (X>0; AeXxAs XeX-1)*; X<0 


as the regular expression generating all possible execution 
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sequences, where we have written ; for concatenation. Another 
way to generate this set is with a finite-state transition 

diagram, which would be a flowchart program of sorts, though with 
the usual roles of edges and vertices interchanged. See R. 

Karp's Ph.D. thesis [17] for an early example of this 
state-transition style of flowchart. Context-free grammars can 

of course be used for parameter-less recursion (10,11). 


From grammars we move to the languages they generate. 
The usual operations of union, concatenation and Kleene closure 
apply here. Otherwise there is little to say about them at this 
point. 


To get from languages to *-ary relations we need Eigot's 
(14] notion of fusion product. Let R,S be two binary 
relations. Take their fusion product to be (a,b,c) {aRbSc} . 
The result is a 3-ary relation. Fusion product generalizes to 
relations of arbitrary arity... We define a *-ary relation to be a 
set of k-tuples (for various k21) over some domain, cail it U 
since our application is to the domain of states. Let R and S 
be two *-ary relations. Then their fusion product ReS is. 
{la,b,...,¢,d,e,...,f,g) | (a,b,...,¢,d)eR an (d,e,...,f,g) eS}. 
The union of *-ary relations is defined in the obvious way. 
This system is a semi-ring (ring with no additive inverses) [2,4] 
with addition operator U and multiplication operator - . The 
reflexive transitive closure of Ris defined, as for any 
semi-ring, as the (necessarily unique) least fixpoint of 
Ax. RUlUxU(xex) . (Here x is feast when xUf=f for any 
fixpoint f .) We call the elements of a *-ary relation a path, 
each k-tuple being a path of length k-1 . This generalizes the 
notion of transition used earlier in that the intermediate stafes 
‘are recorded as wel! as the initial and final states. 


The map from languages to *~ary relations is defined with 
the help of the function & J, defined in section 1 for tests 
and assignments (perhaps varied for tests so that it maps P to 
FP). Extend £ J] to strings by letting it map concatenation to 
fusion product; thus if acl*®* and jal =n , a3 will be an 
(n+1)-ary relation, If [aj = 0 , take fa} to be U , the 
set of all states, a unary relation. Extend [€ 3 to sets of 
strings completely additively, so that for any set of strings L , 
finite or infinite, TUL] = uf[L3 . This completes the definition 
of £3. A useful theorem is that [ 3 takes Kleene closure to 
transitive closure, which follows from the complete additivity of 
C1. 


We now throw away the names of the intermediates states 
in the paths and consider just the path lengths. Thus the 
(n+1)-tuple (a,...,b) becomes the triple {a,n,b) . We call a 
set of such triples multiweighted binary relations; each 
transition {a,b} has a set of weights; each such weight w 
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corresponds to an element (a,w,b) in the multiweighted relation. 
The intuition is that the weights represent the costs of the 
possible transitions from a to b. In the variation where [PJ 

is taken to be EP , only assignments enter into this accounting. 


In the cost function, only one weight is associated with 
each transition. Thus the cost function corresponding to the 


multiweighted binary relation Ris a function from U~ to 

Nu{o} which maps (a,b) to the least n such that (a,n,b) is 
in R , or to @ if there is no such n. The intuition is that 

this function gives the fastest way of getting from a to b. 


By composing the cost function with the function that 
maps » to 0 and everything else to 1, we get a function from 


ut to {0,1} that can be considered to be a binary 
relation in the usual way. We have reached the binary relations 
that we used in sections 1 and 2. 


Finally, by projecting a binary relation onto its first 
coordinate, we get the domain of that relation, namely those 
states that lead to a final state. This supplies enough 
information to discuss termination without getting specific as to 
what state the program terminates in. 


There is an interesting trade-off here between 
definability and describability. As one moves down the 
hierarchy, programs become more describable, but operations on 
programs become less definable. The reason Floyd-Hoare theories 
describe type (vi) programs easily is because these are so low in 
the hierarchy. A theory of termination applied to type (vii) 
programs is even easier; the set of initial states that lead to a 
final state can be described with formulae in fy with 


truth defined via unary F as usual. On the other hand, there 
are almost no proposals in the literature for languages suitable 
for describing programs of types (i)-(v), other than in the 
trivial sense in which they describe the information in the 
program preserved in the transition to level (vi). An exception 
is Kroeger's [21] notion of "thickness," capturing running 
time; this appears explicitly in his modal language, but no 
formal semantics analogous to (2) of our section 1.1 or (3) in 
1.2 is given in {21], and it is not clear to us how to construct 
such a semantics based on our level {v). This level is of 
particular interest because it incorporates the minimum 
information needed to describe the running time complexity of a 
program. 


In considering definability we will start with 
determinism and totality, then turn to other operations. The 
notions of determinism and totality depend on which kind of 
program one is discussing. For example, if we are discussing 
level (vi) programs, then a deterministic program would be a 
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function. We call this G-determinism to correspond to level 

(vi), or more mnemonically and independently of our particular 
hierarchy, 10-determinism (for input/output). At level. (vii) 
determinism is not definable. A reasonable definition of a 
G-deterministic (level (i), G for Grammar) program written as a 
flowchart (directed graph) might be that it satisfies: 

(a) all final nodes are leaves (i.e. have out-degree 0), and 

{b) if there exist distinct edges (w,u), (w,v) then they are 
labelled with tests not simultaneously satisfiable. 


Alternatively one could frame the same condition in terms 
of domains of the instructions labelling edges: 
(a) if u_ is final, all edges (u,v) have empty domains; 
(b) distinct edges (w,u), (w,v) have disjoint domains. 


To define 2-determinism (or L-determinism), it helps to 
have the notion of the prefix tree of a language. For (Lcd* , 
let wl be {wet*|JacZlwacl)}, the immediate prefixes of L, and 
let w*L be the least L' satisfying 
LuL'UwL' =L' , 
the prefixes of L . Then the prefix tree of L is the directed 
graph T(L) = (#¥*L, ((ww,w) |wer_}) . (Recall 
that graphs are presented as (V,E) where V is the vertex set and 
-E the edge set.) Consider the edge (w,wa) (for acd) to be 
labelled a. Call those vertices of T(L) that are in L final. 
Clearly all leaves are final, but the converse does not 
necessarily obtain. 


A program represented as a language has such a prefix 
tree, which is the non-deterministic non-total analogue of 
decision trees [29]. Such a tree can be executed by starting at 
the root (guaranteed to exist when the language is non-empty) and 
following a path along which no tests evaluate to false. Halting 
is permitted only at final nodes. Since we have produced from L 
a (possibly infinite) state transition diagram that generates L, 
we have an object to which we can apply whatever definition we 
used for G-determinism to this graph. Hence we can say that a 
program is L-deterministic just when the prefix tree of the 
language representation of the program is G-deterministic. 


Totality is definable at all levels. Extending our 
notion of k-determinism in the obvious way, 7-totality (or 
D-totality) simply means that the domain is all of the universe 
U. For 3sks6, k-totality seems best defined as 0-totality, 
whereas G-totality should be a syntactic notion that for a 
flowchart would say that for every non-final vertex w there 
should exist either an assignment edge ({w,u) , or a set of edges 
Clw,uy),... (w,u,)} whose labels are tests such that 


Paves Py is satisfiable. Alternatively, we could simply 


require that for every non-final vertex w there exists a set of 
edges C(w,u,) a etets (w,u,)} the union of whose domains is U. 
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Both these definitions are clearly stronger than D-totality. For 
L-totality we can do as we did for L-determinism, namely apply 
the definition of G-totality to the prefix tree of the language 
representation of the program. 


We now consider which other operations on programs. are 
definable at a given level. The less information in a program, 
the fewer operations that can be defined. The operation of union 
is ubiquitous, applying to all types of programs. Composition 
applies to all but the last. An interesting programming language 
‘construct I have not seen proposed before is "fastest(a)" which 
camputes a_ by the fastest possible method, in the sense that if 
there is more than one way to execute the program a, as there 
may be in a nondeterministic system, then the fastest should be 
chosen. This operation is not definable beyond type (iv). An 
operation useful in operating systems is that of merge (or 
shuffle), which forms all possible order- preserving merges of 
the strings of its two arguments. This operation does not seem 
to be definable beyond type (ii). Recursion is definable at 
level (vi) [10]. In a program with recursion and block 
structure, if each new activation of a variable is regarded as in 
fact being a new variable (calling for a more sophisticated 
grammar than a context-free one if the definition is to be 
performed at level (i), e.g. indexed grammars (1]), then the 
concept of block structure is not definable beyond type (ii). 
Call-by-value can be captured at level (ii) by combining block 
structure with assignment, but call-by-reference seems to call 
for either a very complex language (i.e. at level (i) a very 
powerful grammar) or for a different kind of assignment from the 
One we have been using, one that can interpret references. Once 
call-by-reference is provided for, call-by-name can be handled in 
imitation of the classic method of "thunks," but it too seems 
not definable beyond level (ii). (It should be pointed out that 
"is definable" means roughly "makes sense," and does not at 
present have a better defined meaning. } 


When the restriction of the homomorphism from type i to 
type j programs to a class C of type i programs is an 
isomorphism, we call C an isj-preserving class. A program in 
such a class contains no information that cannot be reconstructed 
from its type j counterpart, at least for the purpose of 
distinguishing it from other programs in C . Knuth [19] 
(problem 1.2.1-13) describes a transformation on programs that 
precedes every basic instruction by "TeT+1" where T is a new 
variable. This transformation yields a program (i) whose type S 
version is in a 5-6-preserving class, and (ii) whose type 6 
version is identical to the type 6 version of the unmodified 
program to within the effect on T . The importance of this 
transformation is that in the transformed program the timing 
information is not lost in the transition from type 5 to type 6 . 
Hence a pca, which ostensibly only describes type 6 programs, can 
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in effect describe type 5 programs. Since pca's only supply 
upper bounds on programs, this method requires some independent 
guarantee of termination. Luckham and Suzuki [22] develop this 
idea further; it appears that this guarantee has to come in the 
interpretation of the pca. They treat this as an application of 

the "law of the excluded middle." 


3.2 Modal Logic 


In this section we will took briefly at an alternative to 
Floyd-Hoare logic for describing programs, namely modal logic, a 
significant advantage of which is that it allows one to talk 
about correctness and termination in the same first-order 
language. (As might be guessed from section 1, we now need to 
return to our convention that programs are binary relations. ) 

Part of this work was done jointly with R. Moore in 1974 [27]. A 
similar proposal has been briefly sketched by Burstall [5], who 
suggests that the classical modal logic SS may be used to discuss 
correctness and termination simultaneously. Considering that SS 
logics are those whose modalities have equivalence relations for 
their interpretations, we may infer that either Burstall was on 

the right track but had not developed the idea to the point where 
SS could be seen to be inappropriate, or had a considerably 
different idea from us of how modal logic was to be applied to 

the problem. Schwarz [33] has developed Burstall's work further, 
with a definite commitment to SS. Kroeger [21] has also proposed 
a modal approach to the logic of programs, in considerably more 
detail than Burstall, and with a concern for E-semantics equal to 
ours. A major difference between our approach and Kroeger's is 
that where we regard programs as (interpretations of) modalities 
(unary logical connectives), Kroeger regards them as 

propositional variables, and has only one (program-independent) 
modality. Both systems represent interesting applications of 

modal logic, though the connection of ours with conventional 
first-order predicate calculus is more readily established 

through our program-oriented semantics of 3x. 


Recall from section 1.1 the interpretations of [a]P and 
<a>P . Under these interpretations the following formulae are 
visibly valid: 


[Xe1] X=1 
<Xel>true. 
- (X>0]X>0 
Y>0 > {X>0) Y>0 
X=0 > <X=0>true 
<c*>true. 
X20 > <(XeX-1) *>X=0 


These particular valid formulae generalize in some 


2 
obvious ways, which we can call axioms. 


Logical Axioms 
All tautologies of Propositional Calculus. 
{a] (P2Q) > (faJP > [a]Q@) . 


Logical_Inference Rules 
P, PoadktaQ. 
Pt [a}P (subsumes P F YxP ). 


Some theorems that follow from these axioms are: 


[a] (PaQ) = {a}Pata]Q . 
<a>(PvQ) = <a>Pv<ard . 
<a>(PaQ) > (<a>Pr<arQ) . 
{aJP > (<a>Q >. <a>(Pad)) . 
(a] (PDQ) > (<a>Po<a>Q) . 


Axioms for Basic Programs 


YxP > ([T/x]P (any T t, ) Universal Axiom. 

P > Y¥xP —sunless xeP VY Frame Axiom. 
where xcA(B) = Aédx an (A=x v xeB) (free occurrences). 

{P]Q = PQ Test Axiom. 


[F(S)+TIP = (IF Z=S THEN T ELSE F(Z)/F(Z)IP Assignment Axiom. 
(Here IF-THEN-ELSE is removed as in Theorem 4.) 


The two quantification axioms assert that “x+RANDOM" 
can change the value of x to anything, and that nothing but x 
gets changed. Note the departure from conventional logic, where 
both these axioms would be regarded as logical axioms. Because 
particular programs are non-logical for us in the same sense that 
the particular function denoted by + is considered non-logical 
in conventional logic, and because 3x denotes a particular 
program ({xeRANOOM), we prefer to think of axioms involving 3x as 
non-logical. 


The logical axiom [a] (P>Q) > (faJP>{[aJQ) and the 
non-logical W Frame Axiom are combined in Mendelsohn's [25] 
system K as Vx(PoQ) > (Po¥xQ) unless xeP . Despite the 
elegance of such a compression, we feel there is some intrinsic 
merit in our separation. 


Sample theorems that follow from these axioms are: 


Tests. . 

{PJP Theorem of Intent. 
Q>{(P}Q Theorem of Invariance. 
Po<P>true Theorem of Performance. 


Assignments 
s=Srt=T > [F(S)+T]F(s)=t téFés, Theorem of Intent. 
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(P a y=F ($) A s=$) 2 
(F(S)«T] CIF Zes THEN y ELSE F(Z)/F(Z)IP 
Theorem of Invariance. 
<F ($)¢T>true. Theorem of Performance. 


The reader familiar with predicate calculus will 
recognize in the logical axioms and rules, together with the 
two quantification axioms, a sound complete axiom system for the 
pure predicate calculus, which we can regard as a language for 
talking about “assignment” programs of the form xeRANDOM . This 
prompts the question, is the axiom system we have given sound and 
complete when Z£ is extended to include test and assignment 
modalities? This is easily answered in the affirmative, simply 
because the axioms for assignments and tests involve a direct 
equivalence with a formula not involving the command, unlike the 
axioms for quantifiers. The absence of such an equivalence for 
ax considerably complicates the completeness proof; fortunately 
for us, this difficult problem was solved long ago. With such an 
equivalence, we know that the left side of the equivalence is 
provable if and only if the right side is. Since the right side 
does not involve assignment or test modalities, it is provable if 
and only if it is valid, since our axiomatization of the pure 
predicate calculus is sound and complete. Finally, the right 
side is valid if and only if the left side is, by Theorems 3 and 
4. Hence for any test or assignment a, [a]P is provable if 
and only if it is valid. 


We now expand the system to include finite union and 
composition. The following are obvious corollaries of Theorems 6 
and 7. 


{aUb]P = talP a {bJP Union Axiom. 
[aeb]P = fa] {b]P Composition Axiom. 


All of the above axioms have already been established as 
theorems in Section 2. If a is some loop-free program, the 
axioms "specify" a series of transformations of [a}]P that 
terminates with a formula of i, . This says much the 
same as Corollary 15. It also allows us to prove, by induction 
on the height of programs, that these axioms keep the system 
sound and complete even when 2 is augmented with modalities 
involving U and e-. 


To deal with * , we have: 


<a">P > <a®>P Axioms of Intent. 
Pola]P + Pola*}P Rule of Invariance. 
(N+1/N]P > <a>P -& P > <a*>[0/NJP Rule of Performance. 


In the Axioms of Intent for * , nis a meta-variable 
giving one axiom per natural number. In the Rule of Performance, 
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N is in 3 » and we require 0 in Ip and +1 (successor) in 
3 - Besides = in the assignment axiom for non-zero arities, 


this is the only rule for axiom) requiring non-logical symbols, 
and then only when NeP . 


A word of caution is in order here about replacing - by 
> in the Rule of Invariance for * . The meaning of (Pola)P) > 
(P>{a*]P) is that for any state 9 , if PolalP holds in 9 then 
so does Po{a*JP . A counter-example to this would be when P is 
X<10 , a is EXeX+1] and J satisfies X=0 . “Running” a once 
in this state will certainly preserve P , but running it ten or 
more times will not. A similar warning holds for the Rule of 
Performance for * , even if we rephrase it as the rule 
Yn IP (n+1}><a>P(n)] & PIT) > <a®>P(0) . In this case one 
counter-example would be to make 9 satisfy X=2aY=1 , and to 
take P(n) to be X=n and ato be XeX-Ye¥eO . Then in 9 the 
antecedent holds, but after running a once, X can no longer 
decrease, and will thereafter remain stuck at 1 . 


To see these rules in action, we may show with. their help 
that the following program halts when X20 initially. 


YeO © (X40 - 
(X40 © XeX-] © YeYa1)* © X20 o 
YeY-1 © 
(Y40 © YeY-1 © XeX+1)® © Y=0)® o 


Manna and Pnueli (24) have proved that this program 
halted, claiming that such a proof by Floyd's method of 
demonstrating termination [15], namely showing that traversing 
any loop decreased some well-founded quantity, would be very 
complicated. They proposed another approach. Our modal logic 
approach supplies yet another first-order approach with the added 
advantage that it has an elegant semantical basis. 


If we permit program modalities in tests, we are in 
effect allowing behavior conditional on “what might have been, “ 
that is, on properties of hypothetical worlds accessed by 
programs that leave behind no side effects after the test. This 
gives us a quite simple foundation for the semantics of languages 
like PLANNER and CONNIVER, where such exploratory tests are 
possible. 


4. Appendix 
All theorems are re-stated here and proved if necessary. 


Tidiness Duality Lemma (TOL): Program a is forward tidy if 
and only if a” is backward tidy. 
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VP30 (Qs [a] P) 

V¥P30 (Q=><a>-P) 

YP30 (Qz<a>P) ~wP = P 
VP3Q (Q=<a~~>P) 

a” backward tidy. | 


Proof. a forward tidy 


wo mW HoH 


Tidiness Characterization Lemma (TCL): 
(a) Let a be forward tidy. Then €a} = fa=>)efI} . 
{(b) Let b be backward tidy. Then €b} = €1}-(<=b) . 


Proof. 

(b) P{b3IR =z P > [b]R 
> VO(Qe(b}R > PQ) 
> A(PEI3Q vn Al<ab)R) (83),Th 2 
= P(CI}-(<sb))R 


30(PE13Q an O{<=b)R) > 3O(P2Q a Qelb)R) (BY) ,Th 2 
> P > (bIR 


Hence PEbIR = P(€I}-(<=b))R 
(a) fa} = ~fa}~ (D) 
=z aC] }e (<2a7)~ (b) , (TOL) 
= {(<sa7) ~-€1}7) 
z w<sa7)}7 ¢ +137 
= (a=>) £1} (0) | | 
Theorem 1. (93 = £7, 
Proof. YF(P,Q) is true vacuously. i 


Theorem 2. €13 


a 


(P,Q) |UR(P5Q)) . 


Proof. C13 = C(P,Q)|(9,g)el > (SEP > JEQ)> (by (F)) 
= {(P,Q)|9cU > (SEP > SEQ)} (def. of I) 
= {€(P,Q)(dcU > 9¢(PDQ)} (by (1)) 
= {(P,Q) [UF (P2Q)} | 


Theorem 3. Let R_ be a test. 
(a) <fRI™>P = RaP . (Forward tidiness) 
(b) ([{RBIP 5s RoP . (Backward tidiness) 


Proof 
{a) It suffices to prove that 9SF<fRI>P = SE(RAP) . 
Oe<ERI->P =v geP 
guRI9 


= 9FR a SEP 
= 9F(RaP) 
(b) ({[RB)P a<{[R]>-P 
a(Ra-P) (using (a), and CRB = ERI) 
RoP a 
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IF lemma. Evaluating SEW when W is a formula containing 
IF-terms yields the same truth value whether IF is first 
removed by the above transformations or left in place and - 
evaluated using 


SE(IF P THEN S ELSE T) = if SEP then SES else SET. 
Proof. Straightforward. (Use induction on depth of IF-terms.) i 


Theorem 4. Let F(S)eT be an assignment. 
(a). <EF(S)+TI>P oz dysfP' vn g2S' an Fls)=T') 

where E' = ((IF Zes THEN y ELSE F(Z))/F(ZNIE 
(b) (CF (S)-THIP = P" 

where E" = [(IF Z=S THEN T ELSE F(Z))/F(ZNIE . 


Proof. 
{a) We first prove the aging lemma. 


Aging Lemma. " Suppose Ag = As for all symbols A4F , and 
Fgly) = Fg ly) for all KAS » and F g's) =Xq Then - 
SFA(B) = JFA(B)' 


Proof. By induction on the height of A(B). Assume SEB = gKB'. 


Case (i). A=F. 
Subcase (a), SFB # Sq 
SF(B) = F g (SFB) 
= Fg (geB") (SBS, ind. hyp.) 
= gFF(B') ' 
= gF (IF B'és THEN F(B') ELSE x) 
(fFB' = SBAS » IF lemma) 
= gFF(B)' (def. of ') 
Subcase {(b}), SEB = sy : 
SEF (B) = F g (SFB) 
Fg ls) (given) 
= Xy (given) 
gF(IF B'4s THEN F(B') ELSE x) 
($kB' =SQ=s5, IF temma) 
= gbF(B)' (def. of ‘). 


Case (ii), A=3x. 
Cf. case (ii) of 4(b). 


Case (iii), Other A. 
SFA(B) = Ag (SFB) 
Ag (gFB') (AgeAg, ind. hyp.) 
= gFA(B') 
= JFA(B)' (def. of ') | 
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Aging corollary 1. If SEF (S)+T2$, SFIS) = xg and SS = $4, 
then SEA(B) = GFA(B)' . 


Aging corollary 2. Given ¢ , if 9 is 


AB. if BAF then By 
else Ay. if xAs then Fy) 
else Xy 


then SEA(B) = gkA(B)' 


Transition existence lemma. Given 9 , if 9 is as in the 
previous corollary, sy = §FS' , and Fy ls, ) = FT’ , then 
SEF (S)+T3Z . (That is, constructing 3 from ¢ in this way 
guarantees a transition from 9 to § via TF(S)+T2 .) 


Proof. By aging corollary 2 we have Sy = #S , and 
F,(SFS) = ST. 
Then SHF(S)+TE = AA.if AZF then Ag 
else Ax.if x49FS then F g(x) 
else SFT 


AA. if AZF then Ag 
else Ax. if x#9FS then Fy (x) 
else Fg (39) 
(def. of 9 , Sq = HS , F (FS) = ST) 
= AA.if AF then As else Ax. Fg (x) 
= AA. if AFF then As else Fy {g-reduction) 
AA. As 
= 9 (y-reduction) . i 


H 


We can now complete the proof of Theorem 4{a). It 
suffices to show that 


GE<(F (S}+TE>P = gkaxs(P' an seG' a F(s) = T'). 

Now L.H.S. = 39(SEP a SF (S) +139) 
= JS(SEP a SEF (S)+THZ an Fg (SES) = 9$FT) 
{third conjunct implied by second by def. of £F (S$)«T3) 
(>: take xy=9EF(S), S4=5F3. c: take 9 as in a.c.2) 
dFaxs(P' a s2S' a F(s) = T') 
R.H.S. 


The preceding lemmas make it straightforward to verify each 
step. 


(b) It suffices to show that for all 9, 
gFP = SEP’ 
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where g = Ad.AA.if AAF then Ag 


else As.if s # SES then Ag{s) 
else HT . 


_ and. E' = CIF Z=S THEN T ELSE FIZ)/FIZVIE . 


We proceed by induction on the height of P = A(B) . 
We take as our induction hypothesis: 
Vyc3g-{F (3"= 9 A 9°EF (S)+THZ" > g*EP = S"EP') 


where $=)8 means that 3 and $ differ only in their 


assignment to y . 


Sase (i). A=F. 

gFF (B) = Fg (SEB) 
= F(deB") 
= if SB' = SS then ST else Fg (SQ) 
= SE(IF B' = § THEN T ELSE F{B')) 

= SF(B)' . 


Case (ii). A=3x. 

ge 3xP deayly/x]P — (w-reduction) 
3G" ($"= 3 ag" ly/xIP) 
39" (3"=,9 a S"E({y/x)P)') 
Seay ((ly/x)P)") 

SECBxP)' , 


Case {iii}. Other A. 
SFA(B) = Ay (9EB) 
= Ag(SeB') 
SEA(B') - 
SFA(B)' . 


Theorem S. Let FeG be a second-order assignment. 
(1F+GRIP = {G/FIP 


({G/F] is a convenient abbreviation for {G(Z)/F(Z)1.) 


Hence second-order assignment is backward tidy. 
Proof. Essentially the same as for Theorem 4(b). 
Theorem 6. Cab} = Ca}nf{b} . 

Proof. P€aub30 

V99(d(aUb)g > (9,9) (P,Q)) 

V949( (dag v Sbg) > (9,9) F(P,Q)) 


P€a3Q vn P€b30 
P(€a3n€b3)0 . 


Ce 


Theorem 7A. ach} > fa}-fb} . 


Then 


V9§ ((dag > (9,§9)K(P,Q)) n (Sbg > (9,9)E(P,Q))) 
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Proof. P€{a}-fb3IR 

JQVIIK ((dag > (9,¢)E(P,Q)) an (gbK > (J,K)F(Q,R))) 
BOVSEK (dag a $bK) > (19, g)E(P,O) vn (¥,K)E(O,R))) 
SQVIgK (SagbK > (9,K)FI(P,R)) : 

V99K (Slaeb)K > (9,K)E(P,R)) 

PEasb3R . r 


wn UYU it 


Theorem 7. facb} = fa}-fb} when a is forward tidy or b 
is backward tidy. 


Proof. It suffices to show facb} ¢ Ca}e{b} . 
{a) P£aeb3R 
VK (dlacb)K > (9,KIR(P,R)) 


= V9K(39(dagbK an SEP) > KER) 

= V§K(gbK > (39{gag an SEP) > KER)) 

= YW4K(gbK > (Jk<a>P > KER)) 

= <a™>P£{b3R 

= P€{a}<a >P€bIR since P€a}<a™>P 

> P(€a3-€b3)AR | 
Theorem 8. 


{a) If a,b are forward tidy, so are aUb and aecb ; 
(b) If a,b are backward tidy, so are aUb and aeb. 


Proof. 
(a) <(aUb)~>P == <a" Ub™>P 
= <a >Pv<b >P 
= OWA where Qe<a >P and R=e<b >P. 
<(aeb)">P == <b™ea oP 
= <b” ><a™>P 
= <b™>Q where Qs<a >P 
=R where Rze<b >Q. 
(b) (aub]P = [a]PaAlb}P 
= QaR where Q=[aJP and Relbi]P. 
facb]JP = [a] [b]P 
= {a]Q where Q2[b]P 
=R where R=(aJQ. | 


Corollary 9. All loop-free assignment-and-test programs are very 
tidy (possibly excepting forward tidiness for second order 
assignment). 


Proof. Use induction on the height of a program, together with 
Theorems 1-8. | | 


In the following few theorems, a useful result is: 


Lemma 0. fa} Sn ta}. 
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Proof. a} = wa" (D) 
Sin {a} by the obvious calculation. i 


We note also that TDL can be strengthened to include the 
word "recursively" before every occurrence of “tidy.” If f is 
the recursive tidiness function of a then the dual tidiness 
function g of a” is defined by g{P) = -~f(-P) . 


Theorem.10. fab} Sin €a3xfb3 (Cartesian product) . 
Proof. {ab} «  {€a3n€b} Th 6 
; Sin €a}xfb3 | 


Theorem 11. 
(a) If a is forward recursively tidy, €aeb} Sm {fb} . 


{b) If b> is backward recursively tidy, €a-b} Sn fa. 


Proof. 

(a) faeb} = = (Ca}-fb} Th 7 
= fas>)-€]}-{b} TCL 
= {az>)-{]-b} Th 7 


=z (az=>) fb} 
Hence to test P€acb3R it suffices to calculate the OQ 
satisfying Pfa=>)Q and test Q€b3R. 


({b) Lab} Sin Lb-ea 3 Lemma D 
<s {b3 Th 11 (a) 
s €b} Lemma D. i 


Theorem 12. If a is recursively tidy, €a} Sm cI}. 


Proof 
(a) If a is forward recursively tidy, 
€a3 = fael} 
Sin C13 Th 11 (a). 
(b) When ais backward recursively tidy, 
fa} Si {a} Lemma D 
s,, 13 TOL, 12(a). | 


Theorem 13. Instructions are recursively very tidy. 


Proof. The strongest consequents and weakest antecedents given 
by Theorems 3 and 4 are easily calculated. | | 


Theorem 14. If a,b are forward (backward) recursively tidy, so 
are aUb and aeb , 


Proof. In all four cases of Theorem 8, the desired weakest 
antecedents and strongest consequents are easily calculated. a 
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Corollary 15. If a is a loop-free assignment-and-test program, 
€a}< {1}. 
m 


(Note that C13" = C13x€1}x...x€1} Sm {1} , for any n, since the 


n questions about membership in €13 can be rephrased as 4 single 
conjunction. ) ; 


Proof. This follows by induction on the height of a program, 
using Theorems 10-14. . | 


Theorem 16. Let [39h 24, 19,123, 133] 21, with 
Ve 3g» Fe 3; - Let the symbols of J and P (excepting =) 


take on all possible interpretations in the universe U . Then 
CLV-F(V)3*} is not r.e., despite €13 and {EVeF(V)33 both 
being r.e. 


Proof. The idea is to make V_ encode the contents of the two 
registers and the "program-counter" of a universal register 

machine p (presented as a directed graph, one edge-traversal of 
Pp corresponding to one application of F to V} . The basic 
instructions labelling the edges of the graph will be X-X+1, 

XeX-1, X20, X40, YeVY+1, YeY-1, Y=0, Y40. (See Minsky (26) 
for a description of such a machine.) To define the program 
counter, we number the vertices of p with distinct natural 
numbers; the choice of numbers is unimportant. Let p's start 
vertex be numbered s and final vertex f . We assume without 
loss of generality that leaving each vertex v of p is either 

an assignment edge or a pair of edges labelled with complementary 
assignments (X=0, X40 or Y=0, Y40) . (If necessary, add 
edges labelled X=0 and X40 from f to f.) Now p- may run for 
ever, and halting will be defined by reaching state f , where it 
then is forced to stay. It is important that where control goes 
next be completely specified for every vertex, otherwise F may 
take V to a value that damages our theorem. Another property we 
shall require of pis that it never attempt to decrement a zero 
register, which is easily arranged. We shall also require that 
when p_ has made up its mind to enter the final state, it sets 

X and Y to O first. 


The 3-ary function symbol C is used to encode X,Y and 
the program counter. The following is the only property C 
needs fo work reliably as an encoder. 


Yxy (Cx) = Cly) > xsy) . 


Call this sentence Po . It says that encoding is 1-1 , i.e. 
does not. lose information. 


We also want to say that 0, U and D are supposed to 
behave similarly to standard 0, successor and predecessor. We 
let Pry denote 


3S 
Y¥x (Ux) 40 n D(UUG)) = x). 


We now force F to execute one step of p . We let 
Pe denote the and of a set of sentences, one per edge of p , 
whose elements are defined by the following table, where i,j 
denote the numbers labelling the stert and end of the 
corresponding edge. 


Instruction on edge (i,j) . Corresponding sentence : 


KeX+l Vay fF(C(x yy, U(O))) = C(t) ,y,U(0)) 
XeX-1 Wy (F(C(U(x) ,y, UO) = Cle — ,y, U0) 
X=0 WiIF(C(G ,y, U(ON)) = CIO ,y,U/ (009) 
X£0 Vay F (CCUG) y, UO) = CUGd ,y,W(0))) 


and similarly for Y . 


Claim 1. Given any interpretation 9 satisfying Py » in which 
all symbols save F are assigned interpretations, let N denote 
{9EU"(0) |n20} and let M denote {9U"(0)| m labels a vertex 
of p}. Thus N_ is that subset of D reachable via 

Ug from 0, » and 1 is that subset of OD corresponding to the 
vertices of the flowchart. Then the above table consistently and 
completely determines Fg(Cg(x,y,z)) for all x,y « N= and 
zem, except when ("z",i) is labelled with XeX-1 , in which 
case it is undetermined when x = Og » and similarly for 

YeY-1 . ("z" is the necessarily unique natural number satisfying 
Ug? (Og)=z «) 


Proof. Completeness follows from the fact that every vertex 
labelled "i" has either an assignment leaving it, or a pair of 
tests. In the former case Fg(Cglx,y,i)) is completely 
specified except for the decrement instructions. In the latter 
case, Fg(C4(0,y,i)) is specified, as is Fg(CgtU (x) ,y,i)) ; 
accounting for all elements of N . Consistency follows from 

Po and Pry which together ensure that each of the 

above equations specifies Fy at a different element of the 
domain. | 


Claim 2. If x,yeN and zeM then FglCg(x,y,2z)) = Cgla,b,c) 
where, if p_ is started with “control” at vertex "z" and X,Y 


Wot lH 


contain "x","y" respectively, then running p for one step 


yields "a" in X and "“"b" in Y , with control at vertex “c" . 


Proof. Straightforward. | 
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Now assume that {£V+F(V)I*3 is r.e. Then we can 
decide whether p_ started with i in register X and O in 
register Y will ever halt, thereby solving the halting problem 
for this universal machine, a contradiction [26]. To decide 
whether p halts, run p and at the same time enumerate 


{LVeF (VIS looking for (PpaPyaPeaP, , V#C(0,0,U'(0)) - 


where P, is V=C(U'(O),0,U%(O)) . 

The crucial observation is that we will find this pca if and only 
if p does not halt. For certainly if we find it we know that 
by Lemma 2 the machine cannot get into the state (0,0,f). 
Conversely, if the machine cannot get into this state, then by 
Lemmas 1 and 2 v£C(0,0,U' (0?) will remain true no matter 
how often F is applied to V. - 


This completes the proof of Theorem 16. a | 


Corollary 17. When €13 is r.e., OVeF(V)I* is not recursively 
tidy.. 


Proof. Suppose &VeF(V)I* to be recursively tidy. Then 
COVe-F(V)3*3 = CLVeF(V) Pe-]} 


s, 3 Th. 11 
but this would imply that €EV-F(V)3*3 is rie. , 
contradicting Theorem 16. | 


Theorem 18. If < € ® then €£V-V+1]*3 is recursively very tidy. | 


Proof. <&VeV+lI#->P = In (nsV a (n/VIP). 
(LV-V+19*)P = Vn (Vsn > [n/VIP). i 


Theorem 19. () = 1) = Ip , 

f 
Proof. Straightforward. a 
Theorem 20. (aUb) = (ant) . 
Proof. Straightforward. I | 
Theorem 21. (ach) > (ad-(b) = (ant). 


Proof. Straightforward. ; | 
Corollary 22. For a given program a, the structure 

(a) {n203, ¢) is a homomorph of the natural number division 
lattice (N, |) , with (a) as the least element and (1) as the 
greatest. Further, when a = [X+F(X)]J with F uninterpreted, the 
homomorphism becomes an isomorphism. 


Proof. If min then a) c da"). 
Further, when a = [X+F(X)3 , if mfn_ then the formula 
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P(X) a Y¥x (P(x) > oP (F (X)) avPUF2 (X) ns. AP CE™ (XD) 
{which makes P hold once every m_ applications of F } 
is an invariant of (strictly, is a projection of an invariant of) 


a™ but not of a”. | 
Theorem 23. (a*) = (a) 


Proof. This follows immediately from a® = U{a"|n20} ,: theorem 
20 and corollary 22 (the part of the corollary that says that (a) 


is the least element of (a) |n)0} ). i 


Theorem 24 (Star Interpolation Theorem). Let a* be tidy, with 
P€a¥*3R . Then there exists Q satisfying PoQ2R and O€a30 . 
(An equivalent statement of the theorem is that if a*® is tidy, 
Ca*} = €1}3- (a) {1} .) 


Proof. We need only treat the case when a*® is forward tidy; 

the other case is the exact dual. Choose Q = P{a¥=>) . Then 
QoR since Q is the strongest consequent of P, and P20 since 
ly c¢ a® ., Moreover (using an improved version of our original 


argument suggested by R. Rivest) 


P€a*30 
so P£a*-a3Q since a®ea c a® 
so P (€a*}-{a})0 Theorem 7; a* is forward tidy 
so P€a*3S(a30 for some S ¢ 7, 
thus Q2S P{a*3S and Q is strongest 
whence Q€a30 Sfa3Q0_ a 


Corollary 25. When all regular programs are tidy, fa}< C13. 


Proof. We proceed by induction on the height of a regular 
expression representing a. If a is an instruction, the result 

follows from Theorems 12 and 13. If a is the union or 

composition of two programs then Theorems 10 and 11 together with 
the induction hypothesis apply. If a = b¥* then by Theorem 24 fa} 
= {1}-(b)-£13 . By induction, all the components of this 
composition are r.e. reducible to €1} , hence so is €a} . | 


Corollary 26. Under the conditions of Theorem 16, if €13 is r.e. 
then EV+F (V)D* is not tidy. 


Proof. If it were tidy, then by Theorem 24 €{£V+F(V) 33 would be 
€13- MVeF(V) I) -£13 , which is r.e. because all of its components 
are r.e. But this would then contradict Theorem 16. | 
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